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Relative  Knowledge  and  Belief 

(Extended  Abstract) 

Michael  J.  Fischer  Lenore  D.  Zuck 


Abstract 

Motivated  by  recent  research  in  cryptographic  protocols  and  formal  theories  of 
knowledge,  we  present  a  logic  of  feasible  and  probabilistic  knowledge.  Our  notion  of 
relative  knowledge  captures  the  idea  of  feasibly  computable  knowledge,  and  our  notion 
of  relative  beli  if  captures  the  idea  of  feasibly  computable  knowledge  with  a  degree  of 
confidence  a  <*  1.  We  illustrate  the  power  of  our  definitions  by  characterizing  the  state 
of  knowledge  f  the  verifier  after  running  an  interactive  proof  of  knowledge  of  a  square 
root  in  Z* . 

1  Introduction 

Much  research  in  distributed  computing  and  cryptographic  protocols  has  centered  on  solving 
problems  of  multi-agent  systems  with  various  elements  of  uncertainty,  e.g.,  the  Byzantine 
generals  problem  (where  uncertainty  stems  from  the  possible  faultiness  of  the  processes), 
mutual  exclusion  (where  uncertainty  stems  from  the  asynchrony  of  the  system),  mental 
poker,  etc.  Intuitively,  uncertainty  implies  lack  of  knowledge,  and  overcoming  it  implies 
establishing  some  degree  of  knowledge.  This  has  led  to  the  natural  observation  that  a 
useful  way  to  analyze  distributed  and  cryptographic  systems  is  in  terms  of  knowledge  and 
how  communication  changes  the  processors’  state  of  knowledge  [CM86]. 

Our  goal  is  to  formalize  the  concepts  of  knowledge  needed  for  reasoning  about  zero- 
knowledge  interactive  proofs  of  language  membership  [GMR85]  and  of  knowledge  [GHY85, 
FFS87,TW87],  Knowledge  arises  there  in  three  places: 

1.  The  knowledge  the  prover  wishes  to  convey  to  the  verifier  (in  the  case  of  a  proof  of 
knowledge  as  opposed  to  a  proof  of  language  membership). 

2.  The  knowledge  the  verifier  gains  after  having  run  the  protocol. 

3.  The  the  knowledge  the  verifier  does  not  gain  after  having  run  the  protocol. 

The  need  for  such  formalization  is  apparent.  Feige,  Fiat  and  Shamir  [FFS87]  say,  “The 
notion  of  ‘knowledge’  is  very  fuzzy,  and  a-priori  it  is  not  clear  what  proofs  of  knowledge 
actually  prove.”  They  discuss  the  difficulties  of  obtaining  an  adequate  definition  of  knowl¬ 
edge;  indeed,  their  formal  definition  of  an  interactive  proof  system  of  knowledge  makes 

This  work  w as  supported  in  part  by  the  National  Science  Foundation  under  grant  DCR-8405478  and  by 
the  Office  of  Naval  Research  under  Contract  N00014-82-K-0154. 


no  explicit  reference  to  knowledge  concepts.  Tompa  and  Woll  [TW87]  propose  a  different 
formal  definition  of  an  interactive  proof  system  of  knowledge;  they  also  make  no  explicit 
reference  to  knowledge  concepts. 

In  this  paper,  we  develop  a  formal  framework  for  knowledge  that  is  adequate  for  ex¬ 
pressing  (1)  and  (2).  This  allows  us,  for  example,  to  express  the  soundness  property  for  an 
interactive  proof  system  [TW87].  (Cf.  Our  Theorem  2.)  Our  framework  is  not  yet  adequate 
to  express  the  zero- knowledge  property,  which  asserts  that  (3)  includes  all  “important” 
facts.  Defining  a  formal  system  of  knowledge  and  showing  that  no  knowledge  property 
expressible  in  that  system  is  unintentionally  conveyed  by  the  protocol  is  not  enough;  one 
must  also  demonstrate  that  the  formal  system  is  sufficiently  expressive,  i.e.  able  to  express 
all  “important”  properties,  perhaps  by  showing  that  any  protocol  that  is  zero  knowledge  in 
this  formal  sense  is  also  zero  knowledge  in  the  sense  of  [GMR85].  We  leave  to  future  work 
the  problem  of  extending  our  knowledge  framework  to  handle  (3). 

The  formal  concept  of  knowledge  in  computer  science  has  been  an  active  area  of  research 
for  the  past  several  years,  see,  e.g.,  [HM84,FI86].  The  main  contribution  of  these  works  is  the 
formalization  of  what  we  call  implicit  knowledge.  Intuitively,  a  fact  ip  is  implicit  knowledge 
for  agent  t  if  it  is  necessarily  true  based  on  t’s  local  view  of  the  world.  In  other  words,  t 
knows  ip,  written  K,V>,  if  ip  is  true  in  all  states  of  the  world  that  look  the  same  to  i  as  the 
present  state.  This  definition  of  knowledge  satisfies  the  knowledge  axiom 


V 

v; 


K  iip  D  ip 

which  says  that  »'  only  knows  true  statements. 

As  many  people  have  observed,  implicit  knowledge  is  inadequate  for  reasoning  about 
the  knowledge  appearing  in  interactive  proof  systems.  The  reasons  are  manyfold: 

a.  Implicit  knowledge  (and,  in  fact,  all  the  notions  of  formal  knowledge  that  we  are  aware 
of)  deals  with  knowledge  of  predicates.  However,  in  an  interactive  proof  system  the 
prover  may  want  to  convince  the  verifier  it  knows  some  value  in  a  prescribed  set  of 
possibile  values,  e.g.,  one  of  the  four  square  roots  of  y  modulo  a  number  n  that  is  the 
product  of  two  large  primes.  (We  denote  this  set  by  y/y  mod  n.)  We  therefore  need  a 
concept  of  knowledge  that  captures  knowledge  of  multi-valued  functions.1 

b.  Implicit  knowledge  ignores  the  computational  complexity  of  extracting  knowledge 
from  the  local  view.  For  example,  since  y/y  mod  n  is  uniquely  determined  by  y  and 
n,  then  the  prover  always  implicitly  knows  it.  This  implicit  knowledge  is  however 
not  feasible  since  the  prover  might  not  be  able  to  obtain  any  element  in  y/y  mod  n 
efficiently  (in  probabilistic  polynomial  time),  i.e.,  this  knowledge  is  not  feasible.  The 
point  of  an  interactive  proof  of  knowledge  of  y/y  mod  n  is  that  the  prover  be  able  to 
efficiently  produce  some  element  in  the  set. 

c.  Following  our  previous  example,  since  we  believe  that  finding  any  element  in  y/y  mod  n 
is  computationally  difficult,  it  seems  that  the  prover  can  never  know  y/y  mod  n  in  a 
feasible  way.  Suppose,  however,  that  the  prover  has  a  secret  tape  s.  The  prover  can 

'The  obvious  approach  of  defining  knowledge  of  /(z)  as  a  conjunction  of  knowledge  of  each  bit  of  f(x) 
fails  on  two  grounds:  It  does  not  extend  to  multi-valued  functions,  for  knowing  the  i,k  bit  of  one  of  the 
possible  values  of  /(z)  for  each  i  does  not  imply  knowing  all  of  the  bits  of  the  same  value.  It  also  does  not 
extend  to  the  probabilistic  case,  for  knowing  each  bit  of  f(z)  with  high  confidence  does  not  imply  knowing 
the  actual  value  of  /(x)  with  similar  confidence. 
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compute  s2  mod  n.  If,  by  chance,  it  equals  y  then  the  prover  knows  an  element  of 
y/y  mod  n.  This  may  indeed  be  the  essence  of  the  prover ’s  knowledge  in  an  interactive 
proof  system,  not  that  it  can  compute  the  square  root  of  an  arbitrary  quadratic  residue 
y,  but  only  that  it  sometimes  happens,  for  whatever  reason,  to  already  know  such  a 
square  root.  Our  knowledge  system  must  therefore  be  able  to  deal  with  such  accidental 
knowledge. 

d.  Implicit  knowledge  lacks  the  expressive  power  which  is  required  when  reasoning  about 
probabilistic  protocols  (of  which  interactive  proofs  are  an  example).  In  such  a  system, 
an  agent  might,  e.g.,  “know”  that  ip  is  true  in  99%  of  the  worlds  that  look  the  same 
to  it  as  the  current  world.  However,  if  ip  is  false  in  the  remaining  1%  of  the  worlds,  ip 
is  not  always  true  and  hence  t  does  implicitly  know  ip. 

e.  Not  only  are  interactive  proof  systems  explicitly  probabilistic,  they  are  implicitly 
nondeterministic.  For  example,  every  cheating  prover  defines  a  different  system  when 
interacting  with  a  correct  verifier.  Each  of  these  systems  is  probabilistic,  yet  the  veri¬ 
fier  cannot  tell  which  system  it  takes  part  in,  nor  is  it  realistic  to  assume  a  probability 
distribution  on  the  possible  protocols  used  by  the  cheating  prover.  Its  knoweldge  at 
the  end  of  the  protocol  must  account  for  this  nondetreminism. 

To  deal  with  (a),  we  extend  implicit  knowledge  to  deal  directly  with  multi-valued  func¬ 
tions  of  the  state,  and  we  observe  that  knowledge  of  a  predicate  can  be  treated  as  a  special 
case  of  knowledge  of  a  multi-valued  function. 

To  deal  with  (b)  and  (c),  we  present  a  logic  of  “relative”  knowledge  that  allows  us  to 
express  both  feasible  knowledge  and  accidental  knowledge.  The  idea  behind  our  logic  is 
that  there  be  an  efficient  algorithm  M  which,  given  the  local  view  of  an  agent  i  as  input, 
either  outputs  one  of  the  values  of  the  function  /  at  the  current  state  or  says  *?’  (meaning 
“I  don’t  know”).  We  call  such  an  M  an  i-feasible  knowledge  generator  for  f  and  say  that 
i  knows  f  in  a  state  relative  to  M  if  M  produces  a  value  other  than  *?’  given  the  agent’s 
current  local  view. 

When  applied  to  a  predicate  ip,  the  knowledge  generator  M  either  outputs  true  or  ‘?’,  and 
it  outputs  true  only  when  ip  really  is  true.  Thus,  we  can  view  M  as  a  verification  procedure 
for  ip — it  “proves”  ip  holds  by  outputting  true.  The  statement  “«  knows  ip  relative  to  M ” 
then  means  that  “Af  verifies  for  i  that  ip  holds”.  Since  M  depends  only  on  t’s  local  view, 
if  it  verifies  ip  in  state  g,  then  it  also  verifies  ip  in  all  states  g'  that  look  the  same  to  i  as  g. 
Hence,  relative  knowledge  of  ip  implies  implicit  knowledge  of  ip. 

Relative  knowledge  gives  us  a  whole  range  of  degrees  of  knowledge,  each  depending  on 
the  properties  of  the  particular  knowledge  generator  M .  At  the  one  extreme,  a  knowledge 
generator  that  never  says  *?’  is  a  feasible  algorithm  that  an  agent  can  use  to  find  some  value 
of  the  function  at  every  global  state.  At  the  other  extreme,  a  knowledge  generator  that 
always  says  *?’  is  trivially  correct  but  gives  no  useful  information. 

To  deal  with  (d),  we  present  a  logic  of  probabilistic  knowledge.  Probabilistic  knowledge 
often  plays  the  same  role  as  true  knowledge,  but,  because  the  knowledge  axiom  does  not 
hold,  we  refer  to  such  knowledge  as  belief.2  We  introduce  implicit  belief  which  corresponds  to 
knowledge  in  probabilistic  systems.  Unlike  knowledge,  belief  is  not  absolute  but  is  associated 
with  a  degree  of  confidence. 

2 Our  notion  of  belief  is  of  a  probabilistic  nature.  This  is  different  from  other  notions  of  belief  based  on 
the  failure  of  the  knowledge  axiom  for  other  reasons  [FH85]. 


We  then  combine  the  definitions  of  implicit  belief  and  relative  knowledge  to  obtain 
relative  belief  by  allowing  the  knowledge  generator  some  probability  of  error.  We  call  such 
unreliable  knowledge  generators  belief  generators.  Not  only  does  relative  belief  fail  to  satisfy 
the  knowledge  axiom,  but  it  is  also  non-monotonic;  extra  information  can  lower  one’s  degree 
of  confidence. 

Finally,  to  deal  with  (e),  we  introduce  non-determinism.  We  assume  each  agent  has  a 
set  of  probabilistic  protocols  from  which  it  (non -deterministically)  chooses  one  to  execute. 
While  each  agent’s  set  of  possible  protocols  is  commonly  known  to  all  the  other  agents,  the 
chosen  protocol  is  not.  The  tuple  of  protocols  collectively  chosen  by  the  agents  constitutes 
a  probabilistic  system.  A  formula  is  known  or  believed  if  it  is  known  or  believed  in  all  such 
tuples. 

We  demonstrate  the  utility  of  these  definitions  by  applying  them  to  a  particular  zero- 
knowledge  interactive  proof  that  the  prover  knows  an  element  in  y/y  mod  n  [GMR85,TW87], 
We  give  a  succinct  and  rigorous  expression  and  proof  of  the  soundness  condition  for  that 
protocol.  This  suggests  that  we  have  achieved  at  least  partial  success  in  combining  the 
classical  approach  to  the  formal  theory  of  knowledge  with  the  notions  of  knowledge  that 
have  appeared  in  modern  cryptographic  protocols. 

Related  Work 

Moses  [Mos87]  addresses  problem  (b)  by  adding  to  implicit  knowledge  the  requirement  that 
there  be  an  efficient  algorithm  for  deciding  whether  or  not  K,ip  holds,  given  only  i’s  local 
view.  This  notion  of  feasible  knowledge  can  be  expressed  within  our  framework  as  knowledge 
of  the  characteristic  function  of  the  predicate  rp  relative  to  a  knowledge  generator  M 
that  never  outputs  *?’.  (The  characteristic  function  Xv>(ff)  =  {true}  is  true  at  g,  and 
XV>(s)  =  if  ^  is  false  at  g.)  This  same  M  also  decides  whether  the  implicit  knowledge 

formula  K {ip  holds,  so  it  satisfies  Moses’s  requirement. 

Moses’s  definition  appears  to  be  quite  reasonable  in  the  context  of  knowledge-based 
protocols  [HF85,HZ87],  where  decisions  must  be  made  on  the  basis  of  an  agent’s  knowledge. 
However,  it  is  too  restrictive  for  our  purposes,  for  by  requiring  that  it  capture  implicit 
knowledge  exactly,  it  fails  to  account  for  (c).  In  the  same  work,  Moses  acknowledges  that  in 
order  to  deal  with  issues  in  cryptography,  his  framework  must  be  extended  to  talk  directly 
about  functions  instead  of  only  predicates  and  to  include  probability  (our  problems  (a) 
and  (d)). 

In  [Hal87],  Halpern  showed  a  way  of  defining  “probabilistic  knowledge”  (which  appears 
to  be  similar  to  our  implicit  belief)  and  claimed  it  can  be  easily  extended  to  allow  formalizing 
the  knowledge  of  a  verifier  after  an  interactive  proof;  he  gave  an  example  of  what  such  a 
formal  statement  might  look  like. 

2  The  Computational  Model 

We  consider  terminating  distributed  systems  with  a  set  A  of  participating  agents.  Formal 
definition  of  a  similar  system  appears  in,  e.g.,  [Hal86];  we  briefly  sketch  it  here. 

The  set  of  global  states  of  a  system  TZ  is  denoted  by  Q  =  Qk.  The  set  of  local  states 
of  each  agent  (process)  is  denoted  by  V.  For  every  agent  »  €  A ,  we  assume  some  function 


u,:Q  —*  V  that  maps  each  g  6  G  to  t’s  local  view  of  g.  Given  two  global  states  g  and  g' ,  we 
say  that  g  and  g'  are  indistinguishable  to  t,  denoted  by  g  g1 2 3 4 5 6 ,  if  i  has  the  same  local  view 
in  both,  i.e.,  if  v<(g)  =  i'i(g'). 

We  assume  each  agent  i  £  A  runs  a  protocol  which  is  a  polynomial  time  Turing  machine. 
The  protocols  together  with  an  initial  global  state  define  the  possible  legal  runs  of  the 
system,  where  each  run  is  a  finite  sequence  of  global  states.  We  therefore  identify  a  system 
with  its  set  of  runs.  A  system  1Z  is  deterministic  (probabilistic)  if  the  underlying  protocols 
are  deterministic  (probabilistic). 

We  will  generally  be  interested  in  probabilistic  systems.  We  can  consider  a  probabilistic 
system  to  be  a  deterministic  system  in  which  each  participant  t  has  an  additional  (sufficiently 
long)  random  tape  which  it  can  read  during  the  course  of  the  computation.  Assuming  each 
cell  of  each  random  tape  is  chosen  uniformly  and  independently  from  {0,1},  one  gets  an 
induced  probability  distribution  on  runs  in  the  natural  way. 

For  technical  convinience,  we  assume  that  agents  do  not  forget,  i.e.,  in  every  run  r,  for 
every  k,  1  <  k  <  |r|,  i/, ■(»•*)  includes  ^(r^-i),  where  rt  is  the  £th  state  in  r. 

3  Knowledge 

In  this  section,  we  define  implicit  and  relative  knowledge  for  deterministic  protocols. 

3.1  Implicit  Knowledge 

Let  7Z  be  a  deterministic  system  with  global  states  Q  —  Gn-  We  assume  a  set  of  base  facts 
(predicates)  on  the  global  states  that  varies  from  application  to  application.  For  example, 
if  each  global  state  g  includes  a  number  n(g)  £  N,  then  we  might  consider  a  base  fact  prime 
such  that  for  every  g  £  G, 

prime(g)  iff  n(g)  is  a  prime  number. 

Similarly,  we  assume  a  set  of  base  multi-valued  functions  with  domain  Q  that  varies  from 
application  to  application.  For  example,  we  can  add  a  base  function  prime-factors:  G  — ♦  2N 
by  defining 

prime-factors(g)  =  {p  \  p  is  a  prime  factor  of  n(^)}. 

We  define  a  set  of  facts  and  a  set  of  functions  over  G  inductively  from  the  base  functions 
and  facts. 

1.  Base  facts  are  facts. 

2.  If  /  is  a  function,  then  K ,/  is  a  fact  for  every  «  £  P. 

3.  If  0  is  a  fact,  then  K,0  is  a  fact  for  every  i  £  P. 

4.  If  0  and  £  are  facts,  then  so  are  ->0  and  0  V  £. 

5.  Base  functions  are  functions. 

6.  If  0  is  a  fact,  then  J 0  is  a  function. 


y*  y.  y.  A'v.'^.'ir.'^.1' 


/^,  is  a  multi-valued  function  associated  with  the  fact  xp.  It  simplifies  our  subsequent 
definitions  by  allowing  us  to  define  knowledge  of  facts  in  terms  of  knowledge  of  functions. 


The  following  inductively  defines  the  semantics  of  facts  and  functions.  The  semantics 
of  a  fact  is  defined  as  a  satisfiability  relation  between  a  global  state  and  the  fact.  Each 
function  is  defined  as  a  mapping  that  takes  a  global  state  to  a  (possibly  empty)  set  of  values. 


1. 

2. 

3. 

4a. 

4b. 

5. 

6. 


9  Nr  P  iff  p(<7)>  where  p  is  a  base  fact. 

9  Nr  Ki/  iff  fK/Cff')  I  91  9}  N  0,  where  /  is  a  function. 

9  Nr  iff  9  Nr  where  xp  is  a  fact. 

9  Nr  _,V’  iff  9  Nr  ip- 
9  Nr  'P  V  £  iff  9  (=K  xp  or  g  )=R  f. 

The  value  of  a  base  function  is  assumed  to  be  known. 
fxp(9)  =  {true}  if  9  Nr  t/\  and  =  0  (the  empty  set)  if 
9  Nr  where  xp  is  a  fact. 


Remarks 

•  Here  and  in  the  sequel,  we  omit  mention  of  the  system  7 Z  when  it  is  clear  from  context. 

•  If  /  is  a  function  then  g  [=  K,/  means  “t  knows  some  value  of  /  at  the  current  global 
state”. 

•  If  xp  is  a  fact,  then  g  f=  K txp  means  “i  knows  that  xp  is  true  at  the  current  global  state”. 

•  If  for  every  g  the  value  of  /  depends  only  on  Vi(g),  then  for  every  g,  g  |=  K,/  iff 

fia)  /  0- 

•  If  xp  is  a  fact  then  g  K,K }xp  implies  that  g  (=  K,-^.  However,  this  is  not  true  for 

functions. 

3.2  Relative  Knowledge 

Implicit  knowledge  ignores  the  computational  problem  of  determining  from  the  local  view 
of  agent  i  when  a  formula  K ,xp  holds.  For  example,  assuming  n  and  prime-factors  are 
as  defined  previously,  then  g  f=  K, (prime-factors)  always  holds,  for  the  prime  factors  of  an 
integer  n  are  uniquely  determined  by  n  =  n(g).  On  the  other  hand,  the  problem  of  factoring 
n  is  believed  to  be  computationally  difficult,  so  there  is  no  known  efficient  algorithm  for 
computing  prime-factors(g),  and  hence  i  has  no  feasible  way  of  finding  the  prime  factors 
of  n  that  she  implicitly  knows.  Here  we  are  interested  in  defining  knowledge  of  a  fact  or 
function  where  computational  limitations  are  taken  into  account. 

Let  i  be  an  agent  in  the  system,  let  /  be  a  function  with  domain  Q,  and  let  M  be  a 
probabilistic  polynomial  time  Turing  machine.  M  is  an  i-fcasible  knowledge  generator  for 
f  if  for  every  g  £  Q,  M  on  input  v,(g)  outputs  an  element  in  f(g)  U  {*?’}. 

We  are  now  in  a  position  to  define  relative  knowledge.  We  say  that  agent  i  knows  a 
function  f  in  state  g  6  Q  relative  to  a  machine  M ,  denoted  by 

9  Nr  K^/, 

6 


V-  j...  .C4-V-V 


W.\ 


-V 

./V 


iff  A/  is  an  t-feasible  knowledge  generator  for  /  and  M(u,{g))  ^  *?'.  Similarly,  we  say  that 
agent  t  knows  a  fact  C’  in  state  g  €  G  relative  to  a  machine  M ,  denoted  by 


g  Nr  K^y. 

iffy  Nr;  K,M/v- 

Relative  knowledge  implies  implicit  knowledge,  i.e.,  K;'f/  implies  K,/.  This  is  because 
^  f=  K,m/  implies  that  M  is  an  t-feasible  knowledge  generator  for  /  and  M(ut(g))  €  f(g)- 
It  follows  that  for  every  state  g'  g,  *?’  ^  M(i \{g))  =  M{vx(g'))  €  f(g').  so  A f{i/,(g))  € 
fl{/(y')  I  y'  y}-  Thus  g  j=  K 


3.3  Probabilistic  Relative  Knowledge 

The  notion  of  relative  knowledge  generalizes  easily  to  allow  the  knowledge  generator  itself 
to  be  a  probabilistic  algorithm.  Such  an  algorithm  M  computes  a  random  function  in  which 
a  probability  is  associated  with  each  possible  output  of  M(r).  We  say  that  M  is  i-feasible 
for  /  if  for  every  g  £  Q,  every  output  of  M  on  input  ux{g)  with  non-zero  probability  is  in 

fig)  u  {*?’}. 

To  generalize  the  notion  of  relative  knowledge  to  probabilistic  knowledge  generators,  we 
add  a  confidence  value  q  to  the  knowledge  operator  and  say  that  in  state  g  £  Q  agent  ? 
knows  a  function  f  with  confidence  a  relative  to  a  machine  A/,  denoted  by 

9  K 

iff  M  is  an  i-feasible  probabilistic  knowledge  generator  for  /  and 

Prob[A/(t',(y))  #  T]  >  q. 


Similarly,  agent  i  knows  a  fact  V’  with  confidence  a  relative  to  a  machine  A/,  denoted  by 

9  Nr  k,  N, 


iffy  Nr  K  'U- 

It  follows  from  the  above  definitions  that  if  M  is  deterministic,  then  g  (=7;  K implies 
9  Nr?  K SI-°’M)/. 

Note  that  knowledge  relative  to  probabilistic  knowledge  generators  no  longer  satisfies 
the  positive  introspection  axiom 

K,t/>  D  K,K,t’ 


(when  appropriate  superscripts  are  added  to  the  knowledge  operators),  that  is,  an  agent 
may  not  know  what  it  knows.  The  reason  is  that  determining  whether  or  not  i  knows  v 
with  confidence  a  relative  to  M  depends  on  the  probability  /?  with  which  A/  outputs  values 
N  *?’.  Determining  whether  or  not  the  inequality  0  >  n  holds  when  0  is  very  close  to  a  may 
be  computationally  difficult.  Nevertheless,  we  do  not  regard  this  as  a  serious  deficiency  in 
our  approach.  Our  goal  is  to  reason  about  resource-limited  distributed  computations:  it  is 
not  necessary  that  the  logic  used  for  that  reasoning  itself  have  an  efficient  derision  algorithm 
or  even  be  decidable. 


Ov1 


4  Belief 

4.1  Implicit  Belief 

Our  goal  here  is  to  define  the  knowledge  of  an  agent  participating  in  a  probabilistic  system. 
Consider  for  example  an  instrument  called  an  “oilracle"  which,  once  put  on  the  ground,  can 
detect  with  degree  of  accuracy  .9  whether  there  is  oil  underneath.  That  is.  in  90(T  of  the 
places  oilracle  gives  the  correct  answer  as  to  whether  or  not  there  is  oil  underground,  and 
in  lO'T  of  the  places  it  gives  the  wrong  answer. 

Alice  is  a  very  fortunate  person — 1  %  of  the  places  in  her  enormous  yard  have  oil  under 
them.  As  Alice  can  not  dig  up  the  whole  yard  in  search  of  oil.  she  uses  oilracle  to  decide 
where  to  dig.  Suppose  it  says  'yes'.  Alice  can  reason  that  there  is  a  l/12,h  chance  that 
there  is  oil  in  that  place.  This,  however,  is  technically  incorrect,  for  the  presence  or  absence 
of  oil  in  a  place  is  not  a  random  event:  either  there  is  or  there  is  not  oil  there,  and  usage 
of  oilracle  can  do  nothing  to  change  that  fact.  Rather,  the  probabilistic  statement  is  really 
abon'  Alice's  chance  of  finding  oil  in  her  yard:  Alice  knows  that  the  probability  is  1/12  that 
a  randomly  chosen  place  has  oil.  given  that  oilracle  says  ‘yes’. 

Formally,  let  Ci  =  Q-r  be  the  set  of  global  states  of  a  probabilistic  system  T\ .  and  let 
y  e  Q.  We  say  that  in  state  y.  agent  i  implicitly  lx  Ik  ir>  a  function  /  with  a  degree  of 
confidence  at  least  <>,  denoted  by 

y  B ,’/. 

if  there  exists  a  value  y  such  that 

Prob/v  £  fiy)  I  y  y]  >  a. 

Mere  </  is  a  random  state  chosen  from  the  equivalence  class  [<■/]_, <  according  to  the  induced 
probability  (list  ribution. 

Putting  t lie'  example  in  our  formalism,  before  oilracle  has  been  run.  each  place  in  Alice’s 
yard  is  in  one  of  four  possible  global  states,  depending  on  whether  or  not  there  is  oil 
underneath  and  whether  or  riot  oilracle  would  say  'yes'  if  [rut  in  that  place.  Alice  cannot 
distinguish  between  these  four  states,  so  for  each  of  these  states  y, 

y  (=  B^'l  t here  is  oil)  A  B;^1„m(  t here  is  no  oil). 

After  interrogating  oilrac  le.  Alice  can  distinguish  those  states  where  it  said  'yes’  from  those 
where  it  said  'no',  so  for  each  state  y  in  which  it  said  'yes’. 

y  1=  B^’;i  there  is  oil  |  a  B'N1h/,1„2(  there  is  no  oil). 

4.2  Relative  Belief 

Relative  belief  is  the  feasible  version  of  belief,  i.e..  the  probabilistic  version  of  relative 
knowledge. 

A  “knowledge  generator"  that  is  allowed  to  err  is  called  a  “belief  generator".  Intuitively, 
an  r-feasible  belief  generator  M  for  a  function  /  is  an  ora<  h‘  which,  for  every  global  state  y. 
takes  u,(g)  as  input.  It  may  or  may  not  give  information  about  a  value  of  fly),  and  when  it 
does,  the  information  may  or  may  not  be  correct.  Tims,  any  probabilistic  polynomial  time 


Turing  machine  ran  ho  considered  to  ho  an  i  feasible  h< ■] i‘-f  c* -i!< •  r «i t ■  ■  r :  pr<-um.ib!y.  t  i 
often  it  gives  incorrect  information  the  more  useful  it  is.  \\o  mr.  that  A/  /,.  -  n,  <; 
particular  computation )  if  the  output  A/i'r,(<y)i  it.  that  computation  t-  i,ot  in  f,  ,/ 1 

Given  a  probabilistic  svstem  Tv  whose  set  of  global  state-.  i-  o  -  u  v  .  let 
equivalence  relation  on  C .  which  we  call  the  runttft.  ami  let  o  f  U.  ]  .  Both  ~  v  a  :*•: 
parameters  t hat  are  used  to  specify  the  reliability  of  the  belief  generator,  l  et  i  be  an 
in  the  system,  I*  '  /  be  a  function  with  domain  C.  and  let  A/  be  a  probabilistic  polyr 
time  Turing  machine.  A/  is  an  i-ftasihU  (o.  i-r»  habit  ht  In  f  qt  n<  rut  nr  fur  f  if  fo: 
17  G  C.  the  probability  is  at  least  o  that  A /  does  ret  lie  on  a  ratidom  */'  which  i- 
frorn  according  to  the  underlying  probability  distribution  on  elobal  states.  In 

words.  A/  has  to  give  good  answers  (i.e..  a  correct  value  of  f  or  ' at  bum 
wit  hin  each  equivalence  class  erf  »;jj.  Thus,  t  he  finer  t  },e  equivamn*  e  r •  : a '  :■  u 
the  value  of  a.  the  stronger  this  restriction  becomes. 


o  of  t I : 
.md  lie 


Let  g  g  £  be  a  global  state.  We  say  that  an  agent  i  t*  In  ;•* 
a  m  cnntfit  rtlatirr  to  a  vuichim  A/,  denoted  b\ 


f 


y  *=k  B,  /■ 

iff  M  is  an  )  feasible  !  o .  snj )  reliable  belief  generator  fi  u  /.ad 


I’rob  A  / 1  r,  i  (j  1 1  h  /*  i/  ■  ■  o  . 


Lnlike  the  case  of  relative  knowledge,  relative  imp!;,  i 

i.e..  g  \=  bJ  B,'  r.  I  his  cor  re- p*  >nd-  t  <  ■  .  ■  r :  n'  u;  m  u:  Im: 

sumes  no  resource  boundedness:  relative  belief  a  •!’  g i v*  n  1"  .  i 
information.  It  is  conceivable  that  one  would  believe  |e--  if  nne  w*t*  given  mo 
(e.g..  have  implicit  belief  I.  In  the  cases  where  t !.« •  >  r;  r*  !.iti«*n  i-  a  t* 
relations,  relative  belief  does  imply  implicit  beiwl. 


5  Interactive  Proofs 

One  of  our  goals  in  developing  the  concepts  of  reboiv.  kn>*wh  dg.  and  r*  iative  b< ' 
been  to  explain  the  knowledge  that  is  conveyed  in  an  it. 'era*  tive  pro..;  tlMIJs",  < 
for  example  the  simple  zero  knowledge  in 'era.  tt\e  pro*.;  - .v\  n  in  1  ;gur*  1 .  w  h  :*  h 
two  protocols.  /’  and  \‘.  to  be  run  by  two  agents,  a  p?ov."  /*  and  a  v  <  ■  r :  1 1  •  :  I  f. 

the  protocols  is  for  ;>  to  convince  v  that  p  knows  »,*  to  be  a  quadrat-*  r*"- :  i  m  p<  •  - 
modulo  n. 

Int  uiti vely.  if  p  cannot  efficiently  compute  a  square  root  of  y  m* *d u I*,  n  ate!  vet  •  a 
then  v  must  have  received  a  in  that  satisfies  t|,e  t<'-t  it,  1  of  l  .  11.  e.v.v  *  r .  - :  nr*  y  . 

know  a  sipiare  root  of  y.  it  must  be  the  case  that  ;»  cannot  <  oft, put*,  a  « ami  a  a 
hot  h  satisfy  r's  test.  (If  />  could  compute  both.  th<  n  ;•  c**u!d  •  i.mput*'  n  t  u,  1  mod  n . 
is  a  square  root  of  y  modulo  u.  1  Hence.  j>  must  have  been  add*'  1<*  produce  ai  most 
u\)  and  (/].  and  just  by  *  hance.  that  is  t  he  one  .it  •  ■ .  i  *  1  ■  stag*-  'i.e'  r  request,  d  m 
I  lie  probability  oft  hi'  happening  is  only  I/'J.  til'll'*',  the  p;.  dsdul:' v  'hat  "  a*  *  •  pm 

V\*  remark  ttiaf  t(i*-  sam*'  *>  |s  u>*  ti  t  .<  1 1  j  n  <  t  t,..'l,  tie  (a  t-.P  :'e\  f  Iviiiii 

nun  '  '  answ.  r  e  f»r< e*t  u*  >-<1 
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1. 

Protocol  P 

Generate  a  random  z; 

1. 

Protocol  V 

Wait  until  u  is  received. 

2. 

Send  u  —  z2  mod  n  to  v. 

Wait  until  6  is  received. 

2. 

Generate  a  random  b  £  {0, 1} 

3. 

Send  wi,  =  zxb  mod  n  to  v 

3. 

(with  equal  probabilities); 

Send  b  to  p. 

Wait  until  wi,  is  received. 

(x  is  a  fixed  square  root  of  y.) 

4. 

If  w2  =  uyb  (mod  n) 
then  accept  else  reject. 

Figure  1:  Zero- knowledge  proof  of  quadratic  residuosity. 


cannot  efficiently  compute  a  square  root  of  y  is  at  most  1/2.  Similarly,  if  we  let  v  run  V 
for  t  itreations  and  accept  only  if  it  accepted  in  all  t  iterations,  then  the  probability  that  v 
accepts  and  p  cannot  efficiently  compute  a  square  root  of  y  is  at  most  1/2*. 

We  want  to  capture  the  intuition  described  above  in  our  formalism.  We  therefore  assume 
that  v  is  indeed  following  V,  and  that  p  is  following  some  arbitrary  protocol  Q.  Let  (y,  n)  £ 
N  x  N  denote  some  shared  input  of  the  system.  Let  y/y  be  a  function  that  for  every  g  £  Q 
returns  all  the  square  roots  of  y(g)  modulo  n(g).  We  can  show  the  following: 

Theorem  1  Let  g  «  g'  iff  n(g)  —  n(g'),  y(g)  =  y(g/),  and  g  and  g'  both  result  from  the 
same  number  of  iterations  of  the  protocol.  Then  there  exists  a  v-feasible  belief  generator 
Mv  and  a  p-feasible  knowledge  generator  Mq  such  that,  for  every  global  state  g  in  which  v 
is  in  an  accepting  state  after  running  the  protocol  for  t  iterations  and  for  every  e  £  [0, 1],  if 
6  =  l/(2te),  then 

g  b  Bi1-*’S8*Afv')|41_e’M<,)v/y. 

In  words,  when  v  accepts,  it  believes  with  confidence  1  —  6  that  p  “can  compute”  y/y 
with  probability  at  least  1  —  t.  Note  that  e  is  arbitrary,  but  the  smaller  it  is,  the  larger  r’s 
uncertainty  6  becomes.  The  two  become  equal  when  e  =  l/2^2),  so  both  can  simultaneously 
be  made  exponentially  small  in  t. 

We  sketch  here  the  main  ideas  of  the  proof.  Details  are  deferred  to  the  full  paper. 

We  begin  by  looking  in  a  little  more  detail  at  the  interaction  of  the  arbitrary  protocol 
Q  with  t  rounds  of  the  fixed  protocol  V .  During  such  a  run,  both  p  and  v  may  toss  coins. 
Let  xp  and  ir„  be  their  coin  toss  sequences,  respectively.  The  run  is  uniquely  determined  by 
xp  and  x„.  Call  the  run  accepting  if  t7  accepts  in  the  end. 

We  are  now  in  a  position  to  define  Mq:  Mq  receives  as  input  the  local  view  of  p  at 
the  end  of  the  protocol.  Recall  that  we  assume  agents  do  not  forget,  so  the  local  view  of 
every  proceses  contains  the  complete  local  history  of  the  run.  Moreover,  because  t;  sends 
all  of  its  coin  tosses  to  p,  p’s  local  view  alone  contains  enough  information  to  completely 
reconstruct  the  entire  run,  for  given  p’s  view  of  a  global  state  g,  Mq  can  construct  the  coin 
toss  sequences  xp  and  xv  that  determine  the  run  r  =  rg,  and  then  simulate  Q  and  V  to 
reconstruct  r  itself. 

Assume  that  r  is  accepting.  Then  v  receives  a  good  value  in  step  3  of  its  protocol  at 
each  iteration,  where  “good”  means  that  it  passes  the  test  in  step  4.  For  each  i,  1  <  i  <  t, 
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Mq  will  carry  out  a  simulation  of  Q  interacting  with  V  using  p’s  coin  toss  sequence  ttp  and 
v’s  coin  toss  sequence  ir' ,.  The  latter  is  identical  to  irv  except  that  the  tth  bit  has  been 
flipped.  The  simulation  is  carried  out  for  » iterations  of  V.  Denote  the  resulting  run  by  r'. 
Because  xj, and  ir„  agree  in  the  first  i  -  1  positions,  r'  and  r  are  identical  through  the  first 
i  —  1  iterations.  Let  6  and  b'  be  the  »th  bits  of  xu  and  jr'  respectively,  and  let  tnj,  and  wy 
be  the  corresponding  values  received  by  v  in  step  3  of  the  tth  iteration.  By  construction, 
b  b'.  We  know  that  v  accepts  u>t,  in  step  4.  If  v  also  accepts  wy,  then  either  w^/wy  or  its 
inverse  is  a  square  root  of  y,  so  Mq  can  determine  which  and  output  it.  Consequently,  if  for 
some  *,  1  <  »  <  t,  r'  is  accepting,  then  Mq  outputs  a  correct  y/y.  If  r,-  is  not  an  accepting 
run  for  any  »,  then  Mq  outputs  *?’.  Also,  Mq  outputs  *?’  in  case  r  itself  is  not  an  accepting 
run. 

In  computing  r,-,  it  may  be  the  case  that  p  needs  more  coin  tosses  than  are  contained  in 
xp.  If  so,  then  Mq  extends  irp  as  necessary  by  flipping  coins  itself.  Our  analysis  assumes 
that  the  same  irp  is  used  for  each  of  the  t  simulations;  hence,  whenever  xp  is  extended  during 
one  simulation,  the  extended  version  is  used  in  subsequent  iterations. 

Let  Oq  be  the  probability  that  a  random  run  of  Q  with  V  accepts.  We  argue  that  the 
probability  that  Mq  produces  a  square  root  of  y  on  a  random  run  is  at  least  aQ  —  1/2*. 
Consider  a  fixed,  sufficiently  long  prover’s  coin  toss  sequence  xp,  and  consider  the  2*  runs 
obtained  for  each  of  the  2*  verifier  coin  toss  sequences  of  length  t.  If  two  or  more  of  those 
runs  are  accepting,  then,  given  any  of  those  runs,  Mq  will  always  succeed.  Hence,  the  only 
accepting  runs  on  which  Mq  fails  to  produce  a  square  root  of  y  are  those  in  which  all  of 
the  other  2*  —  1  related  runs  (with  the  same  prover’s  coin  tosses)  are  non-accepting.  The 
probability  of  this  occurrence  is  at  most  1/2*.  Note  that  if  rv  is  not  sufficiently  long,  then 
Mq  extends  it  randomly,  and  the  above  remarks  apply  to  the  resulting  extension. 

Now,  let  7  be  the  probability  that  the  formula 

g  |=  K p-'^y/y 


holds  in  a  random  accepting  state  g.  We  can  show  that 


7  >  1- 


1 

ag2‘e 


Let  Mv  be  the  simple  belief  generator  that  outputs  true  on  all  accepting  states  after  t 
rounds  and  outputs  *?’  elsewhere.  The  probability  that  Mv  lies  on  a  random  run  r  is  at 
most  (1  -  7)««>  for  Mv  only  lies  when  r  is  accepting  and  -iK p1_E’Mg)v/y  holds.  Therefore, 
the  probability  that  Mv  does  not  lie  is 

l-(l-7)og  <  1  — ~  =  l-«. 

The  theorem  follows. 


6  Cryptographic  Protocols 


Cryptographic  protocols  extend  distributed  protocols  by  being  non-deterministic  as  well 
as  probabilistic.  Each  agent  is  allowed  at  the  beginning  to  non-deterministically  choose  a 


protocol  from  some  set  of  possible  probabilistic  protocols.  The  set  of  chosen  protocols  forms 
a  system  which  is  then  used  to  obtain  a  random  run. 

More  precisely,  each  agent  i  has  a  set  of  possible  probabilistic  protocols,  denoted  by  Vi. 
Initially,  each  agent  chooses  (non-deterministically)  a  protocol  P«  E  V,.  This  choice  defines 
a  system  V  over  a  set  of  global  states  Gn-  Thus,  a  cryptographic  protocol  is  a  family  of 
(probabilistic)  systems. 

Because  there  is  no  probability  distribution  on  the  choices  that  an  individual  agent 
makes,  we  cannot  make  probabilistic  statements  about  the  outcome  of  a  run  of  a  system 
chosen  in  this  way.  Rather,  the  only  statements  of  interest  are  those  that  are  valid  for  all 
possible  systems  allowed  by  the  protocol. 

Looking  back  at  Theorem  1,  we  see  that  the  particular  protocol  chosen  by  the  prover 
enters  into  the  statement  of  the  theorem  at  one  place — namely,  the  knowledge  generator  Mq 
depends  on  Q,  the  protocol  run  by  p.  In  order  to  get  a  statement  valid  about  cryptographic 
protocols  instead  of  just  systems,  we  must  modify  our  definitions  slightly. 

First  of  all,  we  interpret  formulas  at  pairs  (P,fl)  where  V,  is  the  system  (i.e.,  the  protocols 
chosen  by  each  of  the  individual  agents)  and  g  E  Gn  is  a  global  state.  For  example,  in  an 
interactive  proof  system,  the  formulas  are  interpreted  over  pairs  of  the  form  (TZ,g),  where 
V,  €  Vp  X  Vv  and  g  €  Gn-  Secondly,  we  replace  the  knowledge  (resp.  belief)  generator  in  the 
superscripts  of  the  K  (resp.  B)  operator  with  a  family  of  knowledge  (resp.  belief)  generators, 

indexed  by  the  protocol  being  run  by  the  agent  t  associated  with  the  operator.  Thus,  K^P' 
is  replaced  by  ,  where  M.  maps  the  protocol  P,  run  by  agent  t  to  a  knowledge  generator 
Mpt.  The  interpretation  of,  say,  ((Q,V),g)  )=  K is  the  sarnie  as  g  ]=  K^t/*,  where 
Mq  =  M(Q )  is  the  knowledge  generator  corresponding  to  the  protocol  Q  E  Vv.  The  B 
operator  is  handled  similarly. 

In  this  way,  we  get  the  following  restatement  of  Theorem  1: 

Theorem  2  Let  V  be  a  family  of  prover  protocols  and  V  the  verifier  protocol  of  Figure 
1.  For  each  Q  £  V  let  TZq  denote  the  system  ( Q,V )  and  define  such  that  g  «  gf  iff 
n(g)  =  n(g’),  y(g)  =  y(</),  and  g  and  (f  both  result  from  the  same  number  of  iterations 
of  the  protocol.  Then  there  exists  a  family  of  knowledge  generators  M  and  a  single  belief 
generator  My  such  that  for  all  probabilistic  polynomial  time  prover  protocols  Q  E  V,  all 
(y,n)  E  N  X  N  and  all  e  €  [0,1],  if  6  =  l/(2‘e)  and  g  is  a  global  state  in  which  V  accepts 
after  running  the  verifier  protocol  for  t  iterations,  then 

(K„,s)  |= 

Details  of  the  proof  are  deferred  to  the  full  paper. 

7  Current  Research  and  Open  Problems 

We  presented  a  logic  of  relative  knowledge  and  belief  that  enables  us  to  reason  about 
computable  knowledge  in  deterministic  a^  well  as  in  probabilistic  systems.  This  logic  has 
numerous  applications,  especially  in  the  area  of  cryptographic  protocols.  We  demonstrated 
one  application  by  defining  what  it  is  that  the  verifier  learns  when  it  accepts  after  running 
an  interactive  proof  of  knowledge  of  a  square  root  in  Z* .  We  are  currently  trying  to  apply 


the  ideas  presented  in  this  paper  to  formalize  what  it  is  that  the  verifier  does  not  learn  in 
order  to  make  formal  sense  of  the  notion  of  “knowledge”  in  zero-knowledge  proofs. 
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